![]() MacOS VoiceOver is now able to find its way back into web contents after it navigated "out" of an application.Fixed memory leak when using contextBridge with sandbox=true.Fixed an issue where windows without nativeWindowOpen: true could invoke the non-native-open path.Fixed a use-after-free error that could happen if a Tray was destroyed while showing a custom context menu.Fixed Promise timeout issue when running Electron as Node.electron v7.2.4 Release Notes for v7.2.4 Fixes Email us at versions: Fixed VersionsĬontext isolation bypass via leaked cross-context objects in Electron ImpactĪpps using contextIsolation are affected.Ĭontext isolation bypass via Promise in Electron Impact There are no app-side workarounds, you must update your Electron version to be protected. ![]() ![]() This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. If you have any questions or comments about this advisory:Ĭontext isolation bypass via contextBridge in Electron ImpactĪpps using both contextIsolation and contextBridge are affected. WorkaroundsĮnsure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open. Sourced from The GitHub Security Advisory Database.Īrbitrary file read via window-open IPC in Electron Impact
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |